The target is a WD Mybook 1TB external USB drive…PLENTY of space left. I notice both the GUI created dd image and the one I attempted above both cut off at about 4.1GB…The volume is around 180GB. Starting sector 218129509 too large for imageĭd.exe if=\\.\F of="G\Investigation_Images\filename2.dd" –log="G\Investigation_Images\filename2.dd_audit.log"Ĭ\>dd.exe if=\\.\F of="G\Investigation_Images\filename2.dd"ĭd.exe G\Investigation_Images\filename2.dd No space left on device
Tsk_img_open Type n/a NumImg 1 Img1 G\Investigation_Images\filename.dd Invalid sector address (dos_load_prim_table Starting sector too large for image)Ĭ\sleuthkit-win32-2.52\bin>mmstat -t dos -v G\Investigation_Images\filename.dd
I can easily browse the NTFS partition while in Linux so I know everything is intact.Ĭ\sleuthkit-win32-2.52\bin>mmls G\Investigation_Images\filename.ddĬ\sleuthkit-win32-2.52\bin>mmls -i raw G\Investigation_Images\filename.ddĬ\sleuthkit-win32-2.52\bin>mmls -i raw -t dos G\Investigation_Images\filename.dd
I'm tending to think it has something to do with the hidden utility partition, but I don't know how to work around this. If this is a disk image file, return to the previous page and change the type. Warning file system of the volume image file could not be determined. I have tried both logical and the entire disk… The error that I get in Autopsy is The dd image completes successfully, but I get an interesting error when attempting to open the image in Autopsy. It appears to have a hidden utility partition (part of Lenovo utils). The drive I am currently working on is a 2.5" SATA drive from a Thinkpad T61.
Then, boot the Helix cd to linux and run autopsy. I use the Helix CD in windows to make an image of my investigation drives using the GUI interface for dd. While I've done many dd images, I have never had an issue opening them up with autopsy.
0 kommentar(er)
